29.4 New Functionality

29.4.1 Databases

This section contains brief descriptions of any new databases introduced in Samba-3. Please remember to backup your existing ${lock directory}/*tdb before upgrading to Samba-3. Samba will upgrade databases as they are opened (if necessary), but downgrading from 3.0 to 2.2 is an unsupported path .

The new tdb files are described in Table 29.1.

Table 29.1. TDB File Descriptions

29.4.2 Changes in Behavior

The following issues are known changes in behavior between Samba-2.2 and Samba-3 that may affect certain installations of Samba.

1. When operating as a member of a Windows domain, Samba-2.2 would map any users authenticated by the remote DC to the " guest account " if a uid could not be obtained via the getpwnam() call. Samba-3 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no current work around to re-establish the Samba-2.2 behavior.

2. When adding machines to a Samba-2.2 controlled domain, the " add user script " was used to create the UNIX identity of the Machine Trust Account. Samba-3 introduces a new " add machine script " that must be specified for this purpose. Samba-3 will not fall back to using the " add user script " in the absence of an " add machine script ".

29.4.3 Passdb Backends and Authentication

There have been a few new changes that Samba administrators should be aware of when moving to Samba-3.

1. Encrypted passwords have been enabled by default in order to interoperate better with out-of-the-box Windows client installations. This does mean that either (a) a Samba account must be created for each user, or (b) " encrypt passwords = no " must be explicitly defined in smb.conf .

2. Inclusion of new security = ads option for integration with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols.

Samba-3 also includes the possibility of setting up chains of authentication methods ( auth methods ) and account storage backends ( passdb backend ). Please refer to the smb.conf man page and Chapter 10, Account Information Databases , for details. While both parameters assume sane default values, it is likely that you will need to understand what the values actually mean in order to ensure Samba operates correctly.

Certain functions of the smbpasswd tool have been split between the new smbpasswd utility, the net tool and the new pdbedit utility. See the respective man pages for details.

29.4.4 LDAP

This section outlines the new features effecting Samba/LDAP integration.

29.4.4.1 New Schema

A new object class (sambaSamAccount) has been introduced to replace the old sambaAccount. This change aids us in the renaming of attributes to prevent clashes with attributes from other vendors . There is a conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF file to the new schema.

Example:

 $ ldapsearch .... -b "ou=people,dc=..." > old.ldif $ convertSambaAccount <DOM SID> old.ldif new.ldif 

The <DOM SID> can be obtained by running

 $ net getlocalsid <DOMAINNAME> 

on the Samba PDC as root.

The old sambaAccount schema may still be used by specifying the ldapsam_compat passdb backend. However, the sambaAccount and associated attributes have been moved to the historical section of the schema file and must be uncommented before use if needed. The Samba-2.2 object class declaration for a sambaAccount has not changed in the Samba-3 samba.schema file.

Other new object classes and their uses include:

• sambaDomain ” domain information used to allocate RIDs for users and groups as necessary. The attributes are added in " ldap suffix " directory entry automatically if an idmap UID/GID range has been set and the " ldapsam " passdb backend has been selected.

• sambaGroupMapping ” an object representing the relationship between a posixGroup and a Windows group/SID. These entries are stored in the " ldap group suffix " and managed by the " net groupmap " command.

• sambaUNIXIdPool ” created in the " ldap idmap suffix " entry automatically and contains the next available " idmap UID " and " idmap GID ".

• sambaIdmapEntry ” object storing a mapping between a SID and a UNIX UID/GID. These objects are created by the idmap_ldap module as needed.

29.4.4.2 New Suffix for Searching

The following new smb.conf parameters have been added to aid in directing certain LDAP queries when passdb backend = ldapsam://... has been specified.

• ldap suffix ” used to search for user and computer accounts.

• ldap user suffix ” used to store user accounts.

• ldap machine suffix ” used to store Machine Trust Accounts.

• ldap group suffix ” location of posixGroup/sambaGroupMapping entries.

• ldap idmap suffix ” location of sambaIdmapEntry objects.

If an ldap suffix is defined, it will be appended to all of the remaining sub-suffix parameters. In this case, the order of the suffix listings in smb.conf is important. Always place the ldap suffix first in the list.

Due to a limitation in Samba's smb.conf parsing, you should not surround the DNs with quotation marks.

29.4.4.3 IdMap LDAP Support

Samba-3 supports an ldap backend for the idmap subsystem. The following options inform Samba that the idmap table should be stored on the directory server onterose in the "ou=idmap,dc=quenya,dc=org" partition.

  ...   idmap backend = ldap:ldap://onterose/   ldap idmap suffix = ou=idmap,dc=quenya,dc=org   idmap uid = 40000-50000   idmap gid = 40000-50000  

This configuration allows Winbind installations on multiple servers to share a UID/GID number space, thus avoiding the interoperability problems with NFS that were present in Samba-2.2.